Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup default_match for multiple columns?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using a CSV to map one field to two more:
status,status_title,status_type,status_ok -,Network connection successful,Network success,Success D,DNS lookup failure,Network failure,Failure
etc, with a lookup:
lookup network_status_codes status AS receiver_network_status OUTPUTNEW
status_title AS network_status_title,
status_type AS network_status_type,
status_ok AS network_status_ok
How can I handle falling back to defaults for all three columns? The default_match field appears to only let me provide one fallback; I don't think I can use:
[network_status_codes] filename = network_status_codes.csv min_matches = 1 default_match = Unknown network error,Network failure,Failure
here.
Should I use a wildcard match instead? E.g. add a row:
*,Unknown network error,Network failure,Failure
then set the match type:
match_type = WILDCARD(status)
to make this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wildcard requires enabling in transforms.conf, e.g.
match_type = WILDCARD(status)
max_matches = 1
The max_matches stops the status matching the wildcard for known values. The lookup csv file can then have an extra entry:
*,Default title,Default type,Default ok
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
